diff --git a/4dev/database/function/edit_set_access_uid.sql b/4dev/database/function/edit_set_access_uid.sql
index 37fd55a6..89d4b053 100644
--- a/4dev/database/function/edit_set_access_uid.sql
+++ b/4dev/database/function/edit_set_access_uid.sql
@@ -1,6 +1,6 @@
-- add uid add for edit_access table
-CREATE OR REPLACE FUNCTION set_edit_access_uid() RETURNS TRIGGER AS
+CREATE OR REPLACE FUNCTION set_edit_access_uid() RETURNS TRIGGER AS
$$
DECLARE
myrec RECORD;
diff --git a/4dev/database/table/edit_access.sql b/4dev/database/table/edit_access.sql
index 40e3e1f6..71c279e9 100644
--- a/4dev/database/table/edit_access.sql
+++ b/4dev/database/table/edit_access.sql
@@ -10,7 +10,8 @@ CREATE TABLE edit_access (
edit_access_id SERIAL PRIMARY KEY,
name VARCHAR UNIQUE,
description VARCHAR,
- COLOR VARCHAR
+ color VARCHAR,
+ uid VARCHAR
) INHERITS (edit_generic) WITHOUT OIDS;
DELETE FROM edit_access;
diff --git a/www/lib/CoreLibs/ACL/Login.inc b/www/lib/CoreLibs/ACL/Login.inc
index fe6c4518..08c0a5bf 100644
--- a/www/lib/CoreLibs/ACL/Login.inc
+++ b/www/lib/CoreLibs/ACL/Login.inc
@@ -70,6 +70,8 @@ class Login extends \CoreLibs\DB\IO
private $login_error; // login error code, can be matched to the array login_error_msg, which holds the string
private $password_change = false; // if this is set to true, the user can change passwords
private $password_change_ok = false; // password change was successful
+ private $password_forgot = false; // can we reset password and mail to user with new password set screen
+ private $password_forgot_ok = false; // password forgot mail send ok
private $pw_change_deny_users = array (); // array of users for which the password change is forbidden
// if we have password change we need to define some rules
@@ -83,7 +85,11 @@ class Login extends \CoreLibs\DB\IO
// all possible login error conditions
private $login_error_msg = array ();
// this is an array holding all strings & templates passed from the outside (translation)
- private $login_template = array ('strings' => array (), 'password_change' => '', 'template' => '');
+ private $login_template = array (
+ 'strings' => array (),
+ 'password_change' => '',
+ 'template' => ''
+ );
// acl vars
public $acl = array ();
@@ -179,6 +185,10 @@ class Login extends \CoreLibs\DB\IO
if (defined('PASSWORD_CHANGE')) {
$this->password_change = PASSWORD_CHANGE;
}
+ // NOTE: forgot password flow with email
+ if (defined('PASSWORD_FORGOT')) {
+ $this->password_forgot = PASSWORD_FORGOT;
+ }
// max login counts before error reporting
$this->max_login_error_count = 10;
// users that never get locked, even if they are set strict
@@ -216,6 +226,10 @@ class Login extends \CoreLibs\DB\IO
if ($this->password_change) {
$this->loginPasswordChange();
}
+ // password forgot
+ if ($this->password_forgot) {
+ $this->loginPasswordForgot();
+ }
// if !$euid || permission not okay, print login screan
echo $this->loginPrintLogin();
// closing all connections, depending on error status, exit
@@ -386,7 +400,9 @@ class Login extends \CoreLibs\DB\IO
$_SESSION["DEFAULT_LANG"] = $res["lang_short"].'_'.strtolower(str_replace('-', '', $res["lang_iso"]));
// reset any login error count for this user
if ($res['login_error_count'] > 0) {
- $q = "UPDATE edit_user SET login_error_count = 0, login_error_date_last = NULL, login_error_date_first = NULL WHERE edit_user_id = ".$res['edit_user_id'];
+ $q = "UPDATE edit_user ";
+ $q .= "SET login_error_count = 0, login_error_date_last = NULL, login_error_date_first = NULL ";
+ $q .= "WHERE edit_user_id = ".$res['edit_user_id'];
$this->dbExec($q);
}
$pages = array();
@@ -573,7 +589,7 @@ class Login extends \CoreLibs\DB\IO
unset($_SESSION["GROUP_NAME"]);
unset($_SESSION["HEADER_COLOR"]);
session_destroy();
- // he prints the login screen again
+ // then prints the login screen again
$this->permission_okay = 0;
}
}
@@ -596,88 +612,91 @@ class Login extends \CoreLibs\DB\IO
// * if an account ACL is set, set this parallel, account ACL overrides user ACL if it applies
// * if edit access ACL level is set, use this, else use page
// set all base ACL levels as a list keyword -> ACL number
- public function loginSetAcl()
+ private function loginSetAcl()
{
- // we start with the default acl
- $this->acl['base'] = DEFAULT_ACL_LEVEL;
+ // only set acl if we have permission okay
+ if ($this->permission_okay) {
+ // we start with the default acl
+ $this->acl['base'] = DEFAULT_ACL_LEVEL;
- // set admin flag and base to 100
- if ($_SESSION['ADMIN']) {
- $this->acl['admin'] = 1;
- $this->acl['base'] = 100;
- } else {
- $this->acl['admin'] = 0;
- // now go throw the flow and set the correct ACL
- // user > page > group
- // group ACL 0
- if ($_SESSION['GROUP_ACL_LEVEL'] != -1) {
- $this->acl['base'] = $_SESSION['GROUP_ACL_LEVEL'];
- }
- // page ACL 1
- if ($_SESSION['PAGES_ACL_LEVEL'][$this->page_name] != -1) {
- $this->acl['base'] = $_SESSION['PAGES_ACL_LEVEL'][$this->page_name];
- }
- // user ACL 2
- if ($_SESSION['USER_ACL_LEVEL'] != -1) {
- $this->acl['base'] = $_SESSION['USER_ACL_LEVEL'];
- }
- }
-
- // set the current page acl
- // start with default acl
- // set group if not -1, overrides default
- // set page if not -1, overrides group set
- $this->acl['page'] = DEFAULT_ACL_LEVEL;
- if ($_SESSION['GROUP_ACL_LEVEL'] != -1) {
- $this->acl['page'] = $_SESSION['GROUP_ACL_LEVEL'];
- }
- if (isset($_SESSION['PAGES_ACL_LEVEL'][$this->page_name]) && $_SESSION['PAGES_ACL_LEVEL'][$this->page_name] != -1) {
- $this->acl['page'] = $_SESSION['PAGES_ACL_LEVEL'][$this->page_name];
- }
-
- // PER ACCOUNT (UNIT/edit access)->
- foreach ($_SESSION['UNIT'] as $ea_id => $unit) {
- // if admin flag is set, all units are set to 100
- if ($this->acl['admin']) {
- $this->acl['unit'][$ea_id] = $this->acl['base'];
+ // set admin flag and base to 100
+ if ($_SESSION['ADMIN']) {
+ $this->acl['admin'] = 1;
+ $this->acl['base'] = 100;
} else {
- if ($unit['acl_level'] != -1) {
- $this->acl['unit'][$ea_id] = $unit['acl_level'];
- } else {
- $this->acl['unit'][$ea_id] = $this->acl['base'];
+ $this->acl['admin'] = 0;
+ // now go throw the flow and set the correct ACL
+ // user > page > group
+ // group ACL 0
+ if ($_SESSION['GROUP_ACL_LEVEL'] != -1) {
+ $this->acl['base'] = $_SESSION['GROUP_ACL_LEVEL'];
+ }
+ // page ACL 1
+ if ($_SESSION['PAGES_ACL_LEVEL'][$this->page_name] != -1) {
+ $this->acl['base'] = $_SESSION['PAGES_ACL_LEVEL'][$this->page_name];
+ }
+ // user ACL 2
+ if ($_SESSION['USER_ACL_LEVEL'] != -1) {
+ $this->acl['base'] = $_SESSION['USER_ACL_LEVEL'];
}
}
- // detail name/level set
- $this->acl['unit_detail'][$ea_id] = array (
- 'name' => $unit['name'],
- 'uid' => $unit['uid'],
- 'level' => $this->default_acl_list[$this->acl['unit'][$ea_id]]['name'],
- 'default' => $unit['default'],
- 'data' => $unit['data']
- );
- // set default
- if ($unit['default']) {
- $this->acl['unit_id'] = $unit['id'];
- $this->acl['unit_name'] = $unit['name'];
- $this->acl['unit_uid'] = $unit['uid'];
+
+ // set the current page acl
+ // start with default acl
+ // set group if not -1, overrides default
+ // set page if not -1, overrides group set
+ $this->acl['page'] = DEFAULT_ACL_LEVEL;
+ if ($_SESSION['GROUP_ACL_LEVEL'] != -1) {
+ $this->acl['page'] = $_SESSION['GROUP_ACL_LEVEL'];
}
+ if (isset($_SESSION['PAGES_ACL_LEVEL'][$this->page_name]) && $_SESSION['PAGES_ACL_LEVEL'][$this->page_name] != -1) {
+ $this->acl['page'] = $_SESSION['PAGES_ACL_LEVEL'][$this->page_name];
+ }
+
+ // PER ACCOUNT (UNIT/edit access)->
+ foreach ($_SESSION['UNIT'] as $ea_id => $unit) {
+ // if admin flag is set, all units are set to 100
+ if ($this->acl['admin']) {
+ $this->acl['unit'][$ea_id] = $this->acl['base'];
+ } else {
+ if ($unit['acl_level'] != -1) {
+ $this->acl['unit'][$ea_id] = $unit['acl_level'];
+ } else {
+ $this->acl['unit'][$ea_id] = $this->acl['base'];
+ }
+ }
+ // detail name/level set
+ $this->acl['unit_detail'][$ea_id] = array (
+ 'name' => $unit['name'],
+ 'uid' => $unit['uid'],
+ 'level' => $this->default_acl_list[$this->acl['unit'][$ea_id]]['name'],
+ 'default' => $unit['default'],
+ 'data' => $unit['data']
+ );
+ // set default
+ if ($unit['default']) {
+ $this->acl['unit_id'] = $unit['id'];
+ $this->acl['unit_name'] = $unit['name'];
+ $this->acl['unit_uid'] = $unit['uid'];
+ }
+ }
+ // flag if to show extra edit access drop downs (because user has multiple groups assigned)
+ if (count($_SESSION['UNIT']) > 1) {
+ $this->acl['show_ea_extra'] = 1;
+ } else {
+ $this->acl['show_ea_extra'] = 0;
+ }
+ // set the default edit access
+ $this->acl['default_edit_access'] = $_SESSION['UNIT_DEFAULT'];
+ // integrate the type acl list, but only for the keyword -> level
+ foreach ($this->default_acl_list as $level => $data) {
+ $this->acl['min'][$data['type']] = $level;
+ }
+ // set the full acl list too
+ $this->acl['acl_list'] = $_SESSION['DEFAULT_ACL_LIST'];
+ // debug
+ // $this->debug('ACL', $this->print_ar($this->acl));
}
- // flag if to show extra edit access drop downs (because user has multiple groups assigned)
- if (count($_SESSION['UNIT']) > 1) {
- $this->acl['show_ea_extra'] = 1;
- } else {
- $this->acl['show_ea_extra'] = 0;
- }
- // set the default edit access
- $this->acl['default_edit_access'] = $_SESSION['UNIT_DEFAULT'];
- // integrate the type acl list, but only for the keyword -> level
- foreach ($this->default_acl_list as $level => $data) {
- $this->acl['min'][$data['type']] = $level;
- }
- // set the full acl list too
- $this->acl['acl_list'] = $_SESSION['DEFAULT_ACL_LIST'];
- // debug
- // $this->debug('ACL', $this->print_ar($this->acl));
}
// METHOD: loginCheckEditAccess
@@ -793,7 +812,7 @@ class Login extends \CoreLibs\DB\IO
// METHOD: loginPrintLogin
// WAS : login_print_login
// PARAMS: none
- // RETURN: none
+ // RETURN: html data for login page
// DESC : prints out login html part if no permission (error) is set
private function loginPrintLogin()
{
@@ -863,7 +882,7 @@ class Login extends \CoreLibs\DB\IO
// METHOD: loginCloseClass
// WAS : login_close_class
// PARAMS: none
- // RETURN: none
+ // RETURN: true on permission ok, false on permission wrong
// DESC : last function called, writes log and prints out error msg and exists script if permission 0
private function loginCloseClass()
{
@@ -882,8 +901,8 @@ class Login extends \CoreLibs\DB\IO
// prepare for log
if ($this->euid) {
// get user from user table
- $q = "SELECT username, password FROM edit_user WHERE edit_user_id = ".$this->euid;
- list($username, $password) = $this->dbReturnRow($q);
+ $q = "SELECT username FROM edit_user WHERE edit_user_id = ".$this->euid;
+ list($username) = $this->dbReturnRow($q);
} // if euid is set, get username (or try)
$this->writeLog($event, '', $this->login_error, $username);
} // write log under certain settings
@@ -898,50 +917,50 @@ class Login extends \CoreLibs\DB\IO
// METHOD: loginSetTemplates
// WAS : login_set_templates
- // PARAMS:
+ // PARAMS: none
// RETURN: none
// DESC : checks if there are external templates, if not uses internal fallback ones
private function loginSetTemplates()
{
$strings = array (
- 'HTML_TITLE' => $this->l->__("LOGIN"),
- 'TITLE' => $this->l->__("LOGIN"),
- 'USERNAME' => $this->l->__("Username"),
- 'PASSWORD' => $this->l->__("Password"),
- 'LOGIN' => $this->l->__("Login"),
+ 'HTML_TITLE' => $this->l->__('LOGIN'),
+ 'TITLE' => $this->l->__('LOGIN'),
+ 'USERNAME' => $this->l->__('Username'),
+ 'PASSWORD' => $this->l->__('Password'),
+ 'LOGIN' => $this->l->__('Login'),
'ERROR_MSG' => '',
'LOGOUT_TARGET' => '',
'PASSWORD_CHANGE_BUTTON_VALUE' => $this->l->__('Change Password')
);
$error_msgs = array (
- "100" => $this->l->__("Fatal Error: [EUID] came in as GET/POST!"), // actually obsolete
- "1010" => $this->l->__("Fatal Error: Login Failed - Wrong Username or Password"), // user not found
- "1011" => $this->l->__("Fatal Error: Login Failed - Wrong Username or Password"), // blowfish password wrong
- "1012" => $this->l->__("Fatal Error: Login Failed - Wrong Username or Password"), // fallback md5 password wrong
- "1013" => $this->l->__("Fatal Error: Login Failed - Wrong Username or Password"), // new password_hash wrong
- "102" => $this->l->__("Fatal Error: Login Failed - Please enter username and password"),
- "103" => $this->l->__("Fatal Error: You do not have the rights to access this Page"),
- "104" => $this->l->__("Fatal Error: Login Failed - User not enabled"),
- "105" => $this->l->__("Fatal Error: Login Failed - User is locked"),
- "220" => $this->l->__("Fatal Error: Password change - The user could not be found"), // actually this is an illegal user, but I mask it
- '200' => $this->l->__("Fatal Error: Password change - Please enter username and old password"),
- "201" => $this->l->__("Fatal Error: Password change - The user could not be found"),
- "202" => $this->l->__("Fatal Error: Password change - The old password is not correct"),
- "203" => $this->l->__("Fatal Error: Password change - Please fill out both new password fields"),
- "204" => $this->l->__("Fatal Error: Password change - The new passwords do not match"),
- "205" => $this->l->__("Fatal Error: Password change - The new password is not in a valid format"), // we should also not here WHAT is valid
- "300" => $this->l->__("Success: Password change successful"), // for OK password change
- "9999" => $this->l->__("Fatal Error: necessary crypt engine could not be found. Login is impossible") // this is bad bad error
+ '100' => $this->l->__('Fatal Error: [EUID] came in as GET/POST!'), // actually obsolete
+ '1010' => $this->l->__('Fatal Error: Login Failed - Wrong Username or Password'), // user not found
+ '1011' => $this->l->__('Fatal Error: Login Failed - Wrong Username or Password'), // blowfish password wrong
+ '1012' => $this->l->__('Fatal Error: Login Failed - Wrong Username or Password'), // fallback md5 password wrong
+ '1013' => $this->l->__('Fatal Error: Login Failed - Wrong Username or Password'), // new password_hash wrong
+ '102' => $this->l->__('Fatal Error: Login Failed - Please enter username and password'),
+ '103' => $this->l->__('Fatal Error: You do not have the rights to access this Page'),
+ '104' => $this->l->__('Fatal Error: Login Failed - User not enabled'),
+ '105' => $this->l->__('Fatal Error: Login Failed - User is locked'),
+ '220' => $this->l->__('Fatal Error: Password change - The user could not be found'), // actually this is an illegal user, but I mask it
+ '200' => $this->l->__('Fatal Error: Password change - Please enter username and old password'),
+ '201' => $this->l->__('Fatal Error: Password change - The user could not be found'),
+ '202' => $this->l->__('Fatal Error: Password change - The old password is not correct'),
+ '203' => $this->l->__('Fatal Error: Password change - Please fill out both new password fields'),
+ '204' => $this->l->__('Fatal Error: Password change - The new passwords do not match'),
+ '205' => $this->l->__('Fatal Error: Password change - The new password is not in a valid format'), // we should also not here WHAT is valid
+ '300' => $this->l->__('Success: Password change successful'), // for OK password change
+ '9999' => $this->l->__('Fatal Error: necessary crypt engine could not be found. Login is impossible') // this is bad bad error
);
// if password change is okay
if ($this->password_change) {
$strings = array_merge($strings, array (
'TITLE_PASSWORD_CHANGE' => 'Change Password for User',
- 'OLD_PASSWORD' => $this->l->__("Old Password"),
- 'NEW_PASSWORD' => $this->l->__("New Password"),
- 'NEW_PASSWORD_CONFIRM' => $this->l->__("New Password confirm"),
+ 'OLD_PASSWORD' => $this->l->__('Old Password'),
+ 'NEW_PASSWORD' => $this->l->__('New Password'),
+ 'NEW_PASSWORD_CONFIRM' => $this->l->__('New Password confirm'),
'CLOSE' => $this->l->__('Close'),
'JS_SHOW_HIDE' => "function ShowHideDiv(id) { element = document.getElementById(id); if (element.className == 'visible' || !element.className) element.className = 'hidden'; else element.className = 'visible'; }",
'PASSWORD_CHANGE_BUTTON' => ''
@@ -960,7 +979,10 @@ class Login extends \CoreLibs\DB\IO
{PASSWORD_CHANGE_SHOW}
EOM;
- } else {
+ }
+ if ($this->password_forgot) {
+ }
+ if (!$this->password_change && !$this->password_forgot) {
$strings = array_merge($strings, array (
'JS_SHOW_HIDE' => '',
'PASSWORD_CHANGE_BUTTON' => '',